IG Report on Clinton’s Emails

Summary

Former Secretary of State Hillary Clinton has said that her decision to use a private email account and server for government business while secretary of state was “allowed” by the State Department. She has said “my predecessors did the same thing,” and insisted she “fully complied with every rule” in preserving her work emails.

We have taken issue with those claims, and now so does the State Department Office of Inspector General, which issued a report on May 26 that contradicts several of Clinton’s claims about her emails:

The IG report cited department policies dating to 2005 that require “normal day-to-day operations” to be conducted on government servers, contrary to Clinton’s claim that her server was allowed. It also said she “had an obligation” to discuss her email system with cybersecurity officials, but there’s “no evidence” that she sought or received their approval.

The IG report said Clinton should have turned over her emails before she left office — not 21 months after she left. “[S]he did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act,” the report said.

Clinton has said her emails “were captured and preserved immediately on the system at the State Department” because she emailed department officials at their government accounts. The IG report said that is “not an appropriate method of preserving any such emails that would constitute a Federal record.”

The IG report also said the only other secretary of state to use personal email “exclusively” for government business was Colin Powell, contrary to Clinton’s claim that her “predecessors” — plural — “did the same thing.” The IG also said that, like Clinton, Powell did not comply with policies on preserving work-related emails.

But the IG report said the comparison to Powell — who did not use a private server — only goes so far. It said during Clinton’s tenure, the rules governing personal email and the use of nongovernment systems were “considerably more detailed and more sophisticated,” citing specific memos that warned department employees about the security risks of not using the government system.

“Secretary Clinton’s cybersecurity practices accordingly must be evaluated in light of these more comprehensive directives,” the report said.

Brian Fallon, a Clinton campaign spokesman, told us that even though the IG report contradicts Clinton’s past statements, that “doesn’t make her statements untruthful.” He said Clinton, who declined to be interviewed by the inspector general’s staff, “believed — past tense” that her use of a private server was allowed, that it was no different than Powell using a commercial email account to conduct government business. She no longer believes that, he said, although she continues to say — as she did in an ABC News interview on May 26 after the IG report came out — that the use of personal email was allowed.

“It did not occur to her that having it on a personal server could be so distinct that it would be unapproved,” Fallon said. “We’re not intending to say post the IG report that her server was allowed. We don’t contest that. We’re saying … the use of personal email was widespread.”

Analysis

On March 2, 2015, the New York Times reported that Clinton exclusively used a private email account to conduct government business while secretary of state from January 2009 to February 2013. The Associated Press followed with a report that Clinton’s email account was hosted on a private server at her home in New York.

The disclosures triggered a series of actions, most importantly an FBI investigation into the handling of classified government material. The investigation is ongoing, and may or may not be completed before the Nov. 8 presidential election.

Separately, the State Department Office of Inspector General — which is headed by Steve A. Linick, an appointee of President Obama — conducted a review of the Office of the Secretary’s “email records management and cybersecurity requirements” since 1997, covering the tenures of five secretaries of state and their staffs. The result is a 79-page report that identified “systemic weaknesses … that go well beyond the tenure of any one Secretary of State.” It made eight recommendations to the department.

For our purposes, we reviewed the report in the context of statements that Clinton, the front-runner for the Democratic presidential nomination, has made about her unusual email arrangement since it was first disclosed more than a year ago.

‘Allowed by State Department’?

As we have writtenbefore, Clinton has said her email arrangement was “allowed” by her department and “fully above board.” Even after the report came out, Clinton continued to make this claim, saying in an ABC News interview on May 26 that “it was allowed.”

The IG report says that that was not the case.

Clinton, Sept. 4, 2015: I know why the American people have questions about it. And I want to make sure I answer those questions, starting with the fact that my personal email use was fully above board. It was allowed by the State Department, as they have confirmed.

Clinton, Sept. 7, 2015: What I did was allowed by the State Department. It was fully above board.

Clinton, May 8: Well, as I have said many times, there was — I was absolutely permitted, and I did it.

Clinton, May 26: Well, it was allowed and the rules have been clarified since I left about the practice.

The IG report said that it has been department policy since 2005 — four years before Clinton took office — that “normal day-to-day operations” be conducted on government servers.

The report also said that in 2007 the department adopted additional policies requiring “non-Departmental information systems” used to “process or store department information” to meet the same security controls as the department’s systems, and requiring that they be registered with the department. Clinton did not adhere to either policy.

State Department Inspector General, May 26: The Department’s current policy, implemented in 2005, is that normal day-to-day operations should be conducted on an authorized Automated Information System (AIS), which “has the proper level of security control to … ensure confidentiality, integrity, and availability of the resident information.” The FAM [Foreign Affairs Manual] defines an AIS as an assembly of hardware, software, and firmware used to electronically input, process, store, and/or output data. Examples include: mainframes, servers, desktop workstations, and mobile devices (such as laptops, e-readers, smartphones, and tablets).

This policy comports with FISMA [Federal Information Security Management Act], which was enacted in December 2002 and requires Federal agencies to ensure information security for the systems that support the agency’s operations and assets, including information security protections for information systems used by a contractor of an agency or other organization on behalf of an agency. FISMA defines information security as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide for the integrity, confidentiality, and availability of the information and systems. In 2006, as required by FISMA, NIST [National Institute of Standards and Technology] promulgated minimum security requirements that apply to all information within the Federal Government and to Federal information systems. Among these are requirements for certifying and accrediting information systems, retaining system audit records for monitoring purposes, conducting risk assessments, and ensuring the protection of communications.

In 2007, the Department adopted additional policies to implement these requirements, including numerous provisions intended to ensure that non-Departmental information systems that process or store Department information maintain the same minimum security controls.

Further, non-Departmental systems that are sponsored by the Department to process information on its behalf must be registered with the Department.

The IG report said Clinton “had an obligation” to discuss her email system with the department, but it could find “no evidence” that Clinton sought approval for her unusual email arrangement. If she did, the report says her request would have been denied by the bureaus of Diplomatic Security and Information Resource Management.

State Department Inspector General, May 26: Secretary Clinton used mobile devices to conduct official business using the personal email account on her private server extensively, as illustrated by the 55,000 pages of material making up the approximately 30,000 emails she provided to the Department in December 2014.

Throughout Secretary Clinton’s tenure, the FAM stated that normal day-to-day operations should be conducted on an authorized AIS, yet OIG found no evidence that the Secretary requested or obtained guidance or approval to conduct official business via a personal email account on her private server. According to the current CIO [chief information officer] and Assistant Secretary for Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email account to conduct official business with their offices, who in turn would have attempted to provide her with approved and secured means that met her business needs. However, according to these officials, DS [Bureau of Diplomatic Security] and IRM [Bureau of Information Resource Management] did not — and would not — approve her exclusive reliance on a personal email account to conduct Department business, because of the restrictions in the FAM and the security risks in doing so.

The Clinton campaign has cited a National Archives and Records Administration regulation adopted in 2009 as evidence that Clinton was allowed to send and receive work-related emails “using a system not operated by the agency,” as the rule states. That’s true, as far as it goes. The IG report says it found “many examples of staff using personal email accounts to conduct official business.” But the report also made a distinction between occasional use and exclusive use of personal email.

The report said it found only three department employees in 19 years who “used non-Departmental systems on an exclusive basis,” and two of them were secretaries of state (Clinton and Powell). The other was Jonathan Scott Gration, a former ambassador to Kenya, who ignored instructions in July 2011 not to use commercial email for government businesses and resigned in mid-2012 when the department initiated disciplinary action against him.

The IG report cited the Gration report as an example of how the process should work. “[T]he Department’s response to his actions demonstrates how such usage is normally handled when Department cybersecurity officials become aware of it,” the report said.

‘Fully Complied’?

The 2009 NARA rule that the Clinton campaign cites does allow for the occasional use of personal email, as we just said, but it also requires that the department “ensure that Federal records sent or received on such systems are preserved in the appropriate agency recordkeeping system.”

Clinton has insisted that she complied with that records requirement, too, because she sent emails to department staffers who had government email addresses. At a March 10 press conference, when she first took questions about her unusual email arrangement, Clinton said “the vast majority of my work emails went to government employees at their government addresses, which meant they were captured and preserved immediately on the system at the State Department.”

Clinton, March 10: I fully complied with every rule that I was governed by.

The IG report said that is not the case. It said Clinton’s method of preserving work-related emails was insufficient under the Federal Records Act.

State Department Inspector General, May 26: As previously discussed, however, sending emails from a personal account to other employees at their Department accounts is not an appropriate method of preserving any such emails that would constitute a Federal record. Therefore, Secretary Clinton should have preserved any Federal records she created and received on her personal account by printing and filing those records with the related files in the Office of the Secretary. At a minimum, Secretary Clinton should have surrendered all emails dealing with Department business before leaving government service and, because she did not do so, she did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act.

Fallon, the Clinton spokesman, said “we agree in retrospect” with the IG finding that “her practice of copying aides on her emails did not end up producing a full record since State’s IT systems didn’t save everything. But that doesn’t mean she didn’t take steps to comply.”

“Our goal was to explain her state of mind at the time, because she was copying and sending” emails to people within the State Department,” Fallon said. “She believed that all those emails were captured,” he said.

‘Same Thing’ As Her Predecessors?

On multiple occasions, Clinton has said she was not alone in using personal email for government business. That is correct, but she distorts the facts when saying that what she did was the same as other secretaries of state, as she did in a CNN interview on July 7, 2015, in a March 9 debate, and again in the ABC interview on May 26 after the report came out.

Clinton, July 7, 2015: There was nothing that did not give me the full authority to decide how I was going to communicate. Previous secretaries of state have said they did the same thing. … And as I said, prior secretaries of state — I mean, Secretary Powell has admitted he did exactly the same thing.

Clinton, March 9: I made a mistake. It was not prohibited. It was not in any way disallowed. And as I have said and as now has come out, my predecessors did the same thing and many other people in the government.

Clinton, May 26: This report makes clear that personal email use was the practice for other secretaries of state.

She was wrong to say “my predecessors did the same thing,” as we have pointed out before. The IG report confirms that among Clinton’s predecessors only Powell used personal email for government business. Madeleine Albright did not use email at all, and Condoleezza Rice did not use personal email to conduct government business, the IG report says.

Secretary of State John Kerry, who followed Clinton, told the inspector general’s office that he “infrequently” used personal email for government business “when responding to a sender who emailed him on his personal account.”

Even now Clinton twists the facts when she claims, as she did in the ABC News interview, that “personal email use was the practice for other secretaries of state” — meaning Powell and Kerry. It was the practice for Powell, but it was the exception for Kerry, so the plural use of “secretaries” is misleading — especially in light of the IG report.

In what reads like a direct rebuttal to Clinton’s claim that other secretaries of state have done the same thing, the IG report notes that the department’s policies on the use of personal email and nongovernment computer systems were “considerably more detailed and more sophisticated” during Clinton’s tenure. It said she should be “evaluated” differently than her predecessors.

“Beginning in late 2005 and continuing through 2011, the Department revised the FAM [Foreign Affairs Manual] and issued various memoranda specifically discussing the obligation to use Department [computer] systems in most circumstances and identifying the risks of not doing so,” the report says. “Secretary Clinton’s cybersecurity practices accordingly must be evaluated in light of these more comprehensive directives.”

In addition to the policies we outlined from the mid-2000s, the report noted specific instances in which State Department officials acted to discourage the use of personal email for government business.

For example, on March 11, 2011, the assistant secretary for diplomatic security sent a memo to Clinton that said there has been “a dramatic increase since January 2011 in attempts by [redacted] cyber actors to compromise the private home e-mail accounts of senior Department officials.” That was followed by two high-level meetings in April and May 2011 on cybersecurity that were attended by “the Secretary’s immediate staff.”

What followed was a cable that went out under Clinton’s name that “recommended best practices for Department users and their family members to follow, including ‘avoid conducting official Department business from your personal e-mail accounts,’” the report said, quoting from Clinton’s cable.

Taking Note

The report also addressed some other notable issues:

The department did not ask the four former secretaries of state, including Clinton, to sign separation agreements certifying that they had turned over all work-related documents. Clinton has been criticized by Republican strategist Karl Rove and others — for failing to sign the statement, but that was part of the department’s “systemic weaknesses” and not unique to Clinton.

Two staffers in the Bureau of Information Resource Management expressed “their concerns about Secretary Clinton’s use of a personal email account in separate meetings” with the bureau director. “According to the staff member, the Director stated that the Secretary’s personal system had been reviewed and approved by Department legal staff and that the matter was not to be discussed any further,” the report said. But no legal review was done and no approval was granted.

Hackers attempted to access Clinton’s server on Jan. 9, 2011, and a phishing email message was sent to Clinton on May 13, 2011, that contained a suspicious link. Both attempted breaches should have been reported. “However, OIG found no evidence that the Secretary or her staff reported these incidents to computer security personnel or anyone else within the Department,” the report said.

Clinton and seven of her former department staffers declined to be interviewed by the IG’s office, as well as “an individual based in New York who provided technical support for Secretary Clinton’s personal email system but who was never employed by the Department.”

Clinton admits she made a mistake when she decided to use a personal email and server to conduct public business. But she has been less than forthright as she has tried to spin the facts in an attempt to minimize her admitted mistake.

The IG report makes it clear that occasional use of personal email for government business would have been acceptable as long as Clinton’s emails were preserved by the department before she left office. But the department policies at the time prevented her or anyone else from using a personal account exclusively for government business — let alone a personal server, which should have been registered with the department but was not.

Updated, May 27: This article was revised to clarify Fallon’s comments on the IG’s finding that Clinton “did not comply with the Department’s policies that were implemented in accordance with the Federal Records Act.” We added that Fallon said the Clinton campaign agrees with the IG finding that “her practice of copying aides on her emails did not end up producing a full record since State’s IT systems didn’t save everything. But that doesn’t mean she didn’t take steps to comply.”